Description
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections.

The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics, separated by newlines, to be sent per packet.

Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.

In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.
Published: 2026-06-10
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Metrics::Any::Adapter::DogStatsd versions prior to 0.04 for Perl fail to protect against metric injections, allowing an attacker to embed newline and control characters into metric streams or tags. This flaw enables the injection of arbitrary metrics or tag manipulation that can corrupt metric collection, lead to inaccurate monitoring data, or overload the monitoring system, effectively causing a denial of service on the metrics backend. The vulnerability is categorized as CWE-93, which involves improper neutralization of special elements used in data input, and also as CWE-150, indicating an access control weakness in the handling of metric data.

Affected Systems

The affected products are PEVANS::Metrics::Any::Adapter::DogStatsd 0.01 through 0.03 and any code that uses the underlying Metrics::Any::Adapter::Statsd component with the same vulnerability. Systems that incorporate these Perl modules for sending events to DogStatsd or similar statsd extensions are at risk if they have not upgraded to version 0.04 or later.

Risk and Exploitability

CVSS score of 9.1 indicates critical severity; the EPSS score of 0.00316 indicates a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the attack vector is likely internal or application‑level; an attacker or malicious user who can send metrics to the vulnerable library can craft payloads containing newline and other control characters to trigger injection. The impact hinges on the availability of the metrics service and the ability to inject data, making the risk moderate to high for environments that rely on accurate monitoring for operational decisions.

Generated by OpenCVE AI on June 19, 2026 at 21:10 UTC.

Remediation

Vendor Solution

Upgrade to v0.04 or later.


OpenCVE Recommended Actions

  • Upgrade Metrics::Any::Adapter::DogStatsd to version 0.04 or later as the official cure
  • Ensure no legacy code paths still reference the pre‑0.04 library and test that the upgrade removes the vulnerability
  • Sanitize or restrict tag input before it reaches the metrics client to eliminate newlines and control characters if an immediate upgrade is not possible

Generated by OpenCVE AI on June 19, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections. Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics, separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.
Weaknesses CWE-150
References

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Pevans
Pevans metrics::any::adapter::dogstatsd
Vendors & Products Pevans
Pevans metrics::any::adapter::dogstatsd

Wed, 10 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.
Title Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections
Weaknesses CWE-93
References

Subscriptions

Pevans Metrics::any::adapter::dogstatsd
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-19T15:32:58.508Z

Reserved: 2026-06-05T12:07:20.886Z

Link: CVE-2026-50638

cve-icon Vulnrichment

Updated: 2026-06-11T19:11:29.715Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T19:16:37.380

Modified: 2026-06-11T20:16:25.347

Link: CVE-2026-50638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:15:16Z

Weaknesses
  • CWE-150

    Improper Neutralization of Escape, Meta, or Control Sequences

  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')